The Eighth Circuit Further Complicates Plaintiff Standing in Data Breach Cases.

• Author: Wynhausen, Aaron

In re Super Valu, Inc., 870 F.3d 763 (8th Cir. 2017)

Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017)

1. INTRODUCTION

   Mass data breaches are a symptom of the digital era and occur with increasing frequency. In the past decade, nearly every sector of the economy has experienced a major breach of personal data, including finance, healthcare, retail, government, hospitality, media, and technology. (1) Breaches affect consumer data, government agencies, voting rolls, healthcare providers, scientific data, business records and trade secrets, attorney work-product, and nearly everything else digital. (2) Fiascos surrounding poor data stewardship at companies, like Facebook and Equifax, arc frequently featured in national media. (3)

   As large data caches containing sensitive personally identifiable information continue to expand, the chances for a breach grow in kind. The potential harm from a breach varies depending on the type of data compromised. Breaches of the most sensitive data, such as social security numbers, embarrassing personal information, medical information, and bank account information, can lead to mass disruptions in people's lives. Breaches of less sensitive data, such as credit card information, online account login credentials, email addresses, home addresses, and phone numbers have less potential for direct harm but can have frustrating consequences for those whose data is compromised. No uniform federal law exists governing the legal duties of those who collect and store personally identifiable information ("PII"), and when a breach occurs, the difficulty in identifying actual harm or quantifying a remedy makes the appropriate legal response unclear.

   In 2016, reported data breaches increased to a record 1,093 incidents--exposing over thirty-six million identified records. (4) Some estimates suggest that between eighty to ninety percent of Fortune 500 companies and government agencies have experienced a data security breach. (5) The proliferation of data breaches led one federal judge to note that "[t]herc are only two types of companies left in the United State[ according to data security experts: 'those that have been hacked and those that don't know they've been hacked.'" (6) Influential digital security expert Brian Krebs summed up the phenomenon in a blog post identifying the "immutable truths" about data breaches:

   There are some fairly simple, immutable truths that each of us should keep in mind, truths that apply equally to political parties, organizations and corporations alike: [(1)] If you connect to the Internet, someone will try to hack it. [(2)] If what you put on the Internet has value, someone will invest time and effort to steal it. [(3)] Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it. [(4)] The price he secures for it will almost certainly be a tiny slice of its true worth to the victim. [(5)] Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets. (7) Plaintiffs have brought hundreds of class action lawsuits against organizations that were responsible for maintaining customer PII and subsequently suffered a breach. (8) While data breach cases have been litigated in nearly every federal circuit court, each circuit has treated them differently with respect to standing and whether a claim for damages exists. (9) Most of these cases are appealed on standing issues. (10) This Note examines two recent cases from the U.S. Court of Appeals for the Eighth Circuit and analyzes how these decisions fit into the greater scheme of data breach litigation in the United States today.

2. FACTUAL BACKGROUND

   This Note examines two cases from the Eighth Circuit, both dealing with the same general issue--an unauthorized breach of consumer data. Each class action was consolidated to a district court within the Eighth Circuit, dismissed for lack of standing, and appealed by the plaintiffs to separate panels. (11) The appellate decisions were released just nine days apart. (12) The type of breach was unique in each case, and the plaintiffs claimed different types of injuries, but the legal issue on appeal remained the same--did the plaintiffs sufficiently allege an injury in fact for purposes of establishing Article III standing? This Part summarizes the facts and provides a brief procedural history of each case.

   1. Kuhns v. Scottradc, Inc.: Decided August 21, 2017 (13)

      The first of the two cases decided by the Eighth Circuit involved hackers accessing the customer database of Scottrade, a securities brokerage firm headquartered in St. Louis, Missouri. (14) Between September 2013 and February 2014, the hackers acquired PII of over 4.6 million customers. (15) The hackers then used this data to operate a stock manipulation scheme, a dozen illegal internet gambling websites, and even a Bitcoin exchange. (16) Scottrade was unaware of the breach until August 2015, when the Federal Bureau of Investigation ("FBI") notified Scottrade that the breach had occurred. (17) Scottrade began notifying affected customers through email and mail on October 2, 2015, and suggested customers be "vigilant" for signs of fraud for the next two years. (18) Scottrade then arranged to have customers receive one year of "identity repair and protection services 'with no enrollment required'" and offered one year of free credit monitoring and identity theft insurance. (19)

      When customers signed up for an account with Scottrade, they provided PII in the form of names, addresses, social security numbers, tax identification numbers, telephone numbers, email addresses, employer information, and work history. (20) A "Privacy Policy and Security Statement" was included in the agreement made with customers. (21) In the Privacy Policy, Scottrade claimed that it would "maintain physical, electronic and procedural safeguards ... to guard... nonpublic personal information" and that it "offer[ed] a secure server and password-protected environment... protected by... encryption." (22) Scottrade also made two separate representations online that contained similar language. (23)

      After the announcement of the breach, several customers ("Plaintiffs," collectively) filed four separate punitive class action complaints in three federal district courts. (24) The U.S. District Court for the Eastern District of Missouri consolidated the actions into its jurisdiction. (25) The four named Plaintiffs filed a consolidated class action seeking a certification of the class, damages for ten causes of action, (26) injunctive relief, and attorneys' fees and costs. (27) The district court refused to consider the merits of the case and dismissed the case without prejudice for lack of subject matter jurisdiction. (28) The court dismissed because Plaintiffs failed to allege sufficient injuries to satisfy Article III standing requirements. (29) Only one named Plaintiff, Matthew Kuhns, appealed; and the main question on appeal was whether his claimed injuries were sufficient to satisfy Article III standing. (30) Scottrade cross-appealed, claiming that even if Kuhns had standing, he had not pleaded sufficient facts for which relief could be granted. (31)

      Kuhns argued that "Scottrade provided deficient cybersecurity in violation of its 'contractual and other obligations.'" (32) He claimed that because of that deficiency, he "faced an immediate and continuing increased risk of identity theft," incurred costs from monitoring personal accounts to mitigate risk of fraud, received diminished value of services from Scottrade, overpaid for diminished services, suffered a decline in value of his PII, and suffered an invasion of privacy. (33)

      Scottrade argued that Kuhns failed to establish '"concrete facts' sufficient to plausibly suggest a certainly impending risk of future identity theft" resulting from the hack. (34) Regarding the "diminished value" claim, Scottrade argued that the fees paid were to execute stock trades--which were faithfully executed --and therefore there was no breach of contract and Kuhns received the full "benefit of the bargain." (35) Scottrade further argued that even if the Eighth Circuit were to find standing, it should dismiss the case for failure to state a claim for which relief could be granted because no actual monetary damages could be identified. (36)

      The Eighth Circuit held that Kuhns had standing based on his contract claims, reasoning that customers "did not receive the full benefit of [the] bargain" and "received brokerage services of [a] lesser value" when their PII was compromised. (37) The Eighth Circuit found that Scottrade breached the contract by failing to provide "promised reasonable safeguards" contained within a privacy policy, which, in turn, caused Kuhns to suffer injury in fact sufficient to confer standing. (38) However, the court affirmed the dismissal with prejudice because Kuhns failed to plausibly allege "actual damages" in the breach of contract. (39)

   2. In re SuperValu, Inc.: Decided August 30, 2017 (40)

      The second of the two cases decided by the Eighth Circuit involved the theft of customer financial information from major grocery store chains after hackers installed malicious software on point-of-sale devices in over 1,000 stores. (41) From June 22, 2014, to July 17, 2014, hackers gained access to the computer network that SuperValu used to process credit and debit card transactions. (42) The hackers installed software on that network, which allowed them to "harvest" customer payment information as it crossed the network. (43) This information included customer names, payment card account numbers, (44) expiration dates, card verification codes, and personal identification numbers. (45) This type of information is considered PII, and the "harvesting" of that data is considered theft. (46)

      On August 14, 2014, nearly two months...